Terrorist’s mainfesto used to spread disk-wiping malware

Be careful what you download…

New Zealand shooter's manifesto used to spread disk-wiping malware
The world was horrified earlier this month by the mass-shootings of worshippers at mosques in Christchurch, New Zealand.

The alleged culprit reportedly distributed a 73-page so-called manifesto entitled “The Great Replacement”, chockablock with white supremacist rhetoric.

The document was circulated on forums and social media websites, and – in an attempt to prevent its spread – New Zealand’s government classified it as “objectionable”, and made it a crime to possess or distribute it anywhere in the country.

Well, if you needed any other reason not to hunt the internet for a copy of “The Great Replacement” to download, here’s one from the research team at security firm Blue Hexagon.

Sign up to our free newsletter.
Security news, advice, and tips.

As researcher Irfan Asrar describes, someone has taken a copy of shooter’s Word document and weaponised it to download malicious code from the internet.

Anyone opening the modified manifesto could find their computer’s Master Boot Record (MBR) destructively overwritten, and as their Windows computer reboots they’ll be faced with a message:

This is not us!

This is not us

In many ways it’s a throwback to the early days of malware, when some viruses would overwrite a PC’s boot-up code and display messages such as “Your computer is now stoned!”. And yes, virus historians, I’m well aware that the Stoned virus was also known as New Zealand…

This new malware hasn’t been created to grant remote hackers access to an infected PC, nor to steal files, or hold the victim to ransom. My guess is that whoever created the malware-laden version of the document was outraged by the horror of the shooting of innocent people, and simply wanted to bloody the nose of anyone showing an unhealthy interest in it.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

6 comments on “Terrorist’s mainfesto used to spread disk-wiping malware”

  1. Smashdamn

    Lol thanks for the warning deleted the file and got the pastebin version instead.

  2. Drew Lewis

    Wow, for a "security" website you sure have no idea what you are talking about. Just another garbage clickbait site to avoid.

    Disk-wiping? That's not a stretch it's a blatant lie or the ramblings of a confused old man.

    Either way it shows everything on this site is misinformation.

    1. Graham CluleyGraham Cluley · in reply to Drew Lewis

      It overwrites the MBR. So yeah, it doesn't wipe the entire hard drive.

      1. Ian Moone · in reply to Graham Cluley

        MBR is only 512mb so far from an entire hard drive. Its like 1 grain of sand from a bag of sand. But a pain ont he bum for someone who's not tech savyto fix.

        1. Graham CluleyGraham Cluley · in reply to Ian Moone

          I remember in the old days some folks would reformat their hard drives when they discovered they had been infected by an MBR virus like Stoned – not realising that they had just wiped all of their hard drive, *apart* from the virus. Oops!

  3. Dave

    This is awesome, shame just wipes the MBR. As a previous cretin has pointed out, it won't stop people reading it, but it might put a few people off.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.